CVE-2014-3004

Castor < 1.3.3 - XML External Entity Injection via Default Xerces SAX Parser Configuration

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-3004. PoCs published by Ron Gutierrez.

AI-analyzed exploit summary This exploit demonstrates an XXE (XML External Entity) vulnerability in the Castor Library, allowing an attacker to read arbitrary files from the server. The PoC shows how malicious XML input can be used to disclose sensitive information like /etc/passwd.

Description

The default configuration for the Xerces SAX Parser in Castor before 1.3.3 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XML document.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Ron Gutierrez · textremotemultiple

https://www.exploit-db.com/exploits/39205

View Code ZIP pw:eip

This exploit demonstrates an XXE (XML External Entity) vulnerability in the Castor Library, allowing an attacker to read arbitrary files from the server. The PoC shows how malicious XML input can be used to disclose sensitive information like /etc/passwd.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Castor Library 1.3.3-RC1 and earlier

No auth needed

Prerequisites: User-controlled XML input to the application

MITRE ATT&CK